Newly Discovered Cyber-Espionage Malware Abuses Windows BITS Service

ZDNet reported earlier today that security researchers have found another instance of a malware strain abusing the Windows Background Intelligent Transfer Service (BITS).

The malware appears to be the work of a state-sponsored cyber-espionage group that researchers have been tracking for years under the name of Stealth Falcon.

The first and only report on this hacking group has been published in 2016 by Citizen Lab, a non-profit organization focusing on security and human rights.

According to the Citizen Lab report, the Stealth Falcon group has been in operation since 2012 and was seen targeting United Arab Emirates (UAE) dissidents. Previous tools included a very stealthy backdoor written in PowerShell.

Experts Comments

September 10, 2019
Richard Bejtlich
Principal Security Strategist
Corelight
As noted in the story by Catalin Cimpanu, other threat groups have conducted command-and-control using Microsoft's Background Intelligent Transfer Service (BITS) for several years, and intruders have discussed the capability to do so for over ten years. BITS is an interesting protocol in that it can use clear-text HTTP, encrypted HTTPS, or Microsoft's own Server Message Block (SMB) protocol. Intruders who use HTTP or SMB are fairly easy to find. Clear-text HTTP can be observed and interpreted.....Read More
As noted in the story by Catalin Cimpanu, other threat groups have conducted command-and-control using Microsoft's Background Intelligent Transfer Service (BITS) for several years, and intruders have discussed the capability to do so for over ten years. BITS is an interesting protocol in that it can use clear-text HTTP, encrypted HTTPS, or Microsoft's own Server Message Block (SMB) protocol. Intruders who use HTTP or SMB are fairly easy to find. Clear-text HTTP can be observed and interpreted directly, while enterprise networks should rarely allow SMB beyond their gateways, as it is generally considered an "intranet" protocol. As with most nefarious activity these days, HTTPS remains the difficult case. Recognizing abuse of the protocol as a transport mechanism requires gathering high-fidelity network security monitoring data, paired with threat intelligence.  Read Less

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.